Page 4 of 4 FirstFirst ... 234
Results 31 to 39 of 39

Thread: Grub 2 Password Protection

  1. #31
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by kakkerpolakke View Post
    Hey,

    I have a little problem. I need to restart my root password on Ubuntu (GRUB 1.98)

    I've followed instructions elsewhere, but it hasn't worked so far. Others basically said I should edit the kernel line that begins: init=

    ... but I simply don't have it here.

    Thanks for any advice,
    Grub is a universal loader that doesn't deal with OS specific passwords. While you can add kernel options to the "linux" line in the menuentry (such as quiet, splash, nomodeset, etc I am not aware of the option that would deal with Ubuntu's root password settings. If you found one, it would be placed on the GRUB_CMDLINE_LINUX_DEFAULT="" line of /etc/default/grub.

    Here is one list of available kernel options:
    http://www.kernel.org/doc/Documentat...parameters.txt
    GRUB2

    Retired.

  2. #32
    Join Date
    Aug 2008
    Location
    South East Montana
    Beans
    6,153

    Re: Grub 2 Password Protection

    Quote Originally Posted by kakkerpolakke View Post
    Hey,

    I have a little problem. I need to restart my root password on Ubuntu (GRUB 1.98)

    I've followed instructions elsewhere, but it hasn't worked so far. Others basically said I should edit the kernel line that begins: init=

    ... but I simply don't have it here.

    Thanks for any advice,
    If you mean that you must reset your root password take a look at;
    Code:
    man passwd
    You will need to have a live CD (or another install on your box) and chroot to your install to use the commands to change a root pass word.
    Dell 480 XPS 3G ram Quad Core 2.40GHz, Radeon HD 2400 PRO, Audigy1, 3x320G HDD, 320G External, Debian Testing for use, Debian Squeeze for secure use, Debian Sid for FUN

  3. #33
    Join Date
    Jul 2011
    Beans
    3

    Re: Grub 2 Password Protection

    This is exactly what I was looking for, protected all entries for recovery.

    I'm using GRUB 1.98 on Lucid Lynx and this guide worked flawlessly.

    Thanks a lot!

    The question is, if someone would boot up the machine from a live CD will the still be able to change the GRUB configuration files and gain the root access that way?

  4. #34
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by snooffy View Post
    The question is, if someone would boot up the machine from a live CD will the still be able to change the GRUB configuration files and gain the root access that way?
    Yes they would. Physical access to a computer normally trumps security measures.

    You could add a BIOS password (if your BIOS allows it) so that access to any OS or CD is restricted, adding an extra level of security.
    GRUB2

    Retired.

  5. #35
    Join Date
    Jul 2009
    Beans
    101

    Re: Grub 2 Password Protection

    DRS305: Thank you for this excellent guide.


    I can confirm that this all works with GNU GRUB version 1.99-9


    I also used this as a reference:


    http://www.gnu.org/software/grub/manual/html_node/index.html


    Section:
    15 Authentication and authorisation
    21 Invoking grub-mkpasswd-pbkdf2


    Straying a little from your guide, I added this at the end of 00_header:


    Code:
     cat <<EOF
         set superusers="root"
         password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
     EOF
    For the “biglongstring” use “password_pbkdf2” and cut&paste.


    And then I changed the menuentry's in 10|20|30 files to:


    Code:
     printf "menuentry –users '' '${title}' ${CLASS} {\n" "${os}" "${version}"
     and
     menuentry –users “” "${LONGNAME} (${2}-bit) (on ${DEVICE})" {
    You need to be careful with your quoting, inside the printf statement you need to use single quotes.


    By giving a “NULL string” to the “–users” options you only need to change the 00_header file when you change the password and then run update-grub.


    On a multi-boot setup your can have different users for the different OS's, therefore the idea to sync the passwords up with the password file is definitely worth while to look into.


    Of course all of this can be by-passed by simply using a CD/DVD like “super grub”, “plop”, or a “live CD”. Again the old adage “physical access = root access” applies. However, I fell it adds yet another layer to the onion called “security”; let them work for the access.


    Happy to contribute.


    George
    Ubuntu User 29830, Linux User 500817

  6. #36
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Quote Originally Posted by georgemc View Post
    I can confirm that this all works with GNU GRUB version 1.99-9

    Happy to contribute.

    George
    Thanks for the information. Good to know it still works in 1.99.

    I'll try to digest your post and update the original post (with credit of course) if needed.

    Update: Revised Section 7 on encrypted passwords.
    Last edited by drs305; July 29th, 2011 at 10:53 PM.
    GRUB2

    Retired.

  7. #37
    Join Date
    Dec 2011
    Beans
    1

    Re: Grub 2 Password Protection

    I am new and it's been a long time there was no comment on this topic but I have a little question on the section about how to secure "Recovery Entries" for linux.
    Password protect the Recovery Mode option: /etc/grub.d/10_linux Also make the change as described in the /etc/grub.d/00_header section above.
    From (GNU GRUB 1.98-1ubuntu5):
    Quote:
    printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
    To:
    Quote:
    if ${recovery} ; then
    printf "menuentry '${title}' --users user1 ${CLASS} {\n" "${os}" "${version}"
    else
    printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
    fi
    I've changed the line printf "menuentry ... by the others but it doesn't work.
    It was written: printf "menuentry '${title}' --users user1 ${CLASS} {\n" "${os}" "${version}" but I wonder if it was rather that: printf "menuentry --users user1 '${title}' ${CLASS} {\n" "${os}" "${version}" ?

    Thank you in advance.

  8. #38
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    ignisterra

    Welcome to the Ubuntu Forums.

    As you found out, this guide was written when Grub 1.98 was very young. Thanks for pointing out that things have changed a bit, even in this older version of Grub.

    I booted an old copy of Lucid, which still uses Grub 1.98, and updated it to the current Grub 1.98 package.

    The entry in 00_header does not appear to have changed, however the 10_linux entry is indeed a bit different now.

    This is what I show as the default Grub 1.98 /etc/grub.d/10_linux default entry linux (approximately line 70).
    if ${recovery} ; then
    title="$(gettext_quoted "%s, with Linux %s (recovery mode)")"
    else
    title="$(gettext_quoted "%s, with Linux %s")"
    fi
    printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
    I wasn't sure about the exact format of your suggestion, so I just did some experimenting. The way I got it to work was to edit the "printf" line to include the user, add the that line in each conditional section, and remove it from the end. This is what worked for me (for user drs305):

    if ${recovery} ; then
    title="$(gettext_quoted "%s, with Linux %s (recovery mode)")"
    printf "menuentry '${title}' ${CLASS} --users drs305 {\n" "${os}" "${version}"
    else
    title="$(gettext_quoted "%s, with Linux %s")"
    printf "menuentry '${title}' ${CLASS} {\n" "${os}" "${version}"
    fi
    Don't forget to update-grub, and if you need to make sure you are using Grub 1.98 just run "grub-install -v".

    If this works for you please let me know and I'll update the first post.
    GRUB2

    Retired.

  9. #39
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Grub 2 Password Protection

    Thread Closed.

    This page has been migrated to the Ubuntu Community Documentation site. For the most up-to-date information, please visit:
    https://help.ubuntu.com/community/Grub2/Passwords

    The above page is a sub-page of the main community documentation regarding Grub2.

    Thank you to all the users who posted in these threads and expanded our knowledge of Grub 2 since it's introduction.

    A thread for discussion of the wiki can be found at http://ubuntuforums.org/showthread.php?p=12073029


    Support threads regarding the wiki and it's content should be created in a suitable forum.
    GRUB2

    Retired.

Page 4 of 4 FirstFirst ... 234

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •